Encryption

Encryption is the process of transforming readable data (plaintext) into an unreadable format (ciphertext) using a cryptographic algorithm and key. Only parties with the correct decryption key can reverse the process and access the original data. Encryption is one of the most effective controls for protecting data confidentiality and is required or strongly recommended by every major compliance framework.

Types of Encryption

• Encryption at rest — Protects data stored on disks, databases, and backup media. Examples include full-disk encryption (BitLocker, FileVault) and database-level encryption (TDE).
• Encryption in transit — Protects data as it moves between systems over networks. TLS/SSL is the standard for web traffic, APIs, and email communications.
• End-to-end encryption — Data is encrypted at the source and only decrypted at the destination, with no intermediate party able to access plaintext.
• Application-level encryption — Data is encrypted within the application before being stored, providing protection even if the underlying storage is compromised.

Compliance Requirements

PCI DSS requires encryption of cardholder data both at rest and in transit across open, public networks. Specific requirements address key management, strong cryptography standards, and regular key rotation.

HIPAA does not mandate encryption explicitly but classifies it as an "addressable" safeguard. In practice, encrypting ePHI at rest and in transit is the standard approach, and failing to encrypt is difficult to justify.

GDPR lists encryption as an appropriate technical measure under Article 32. Encrypted data that is breached may not trigger individual notification requirements if the encryption renders the data unintelligible.

ISO 27001 includes controls for cryptographic policy (A.8.24) and key management. Organizations must define which data requires encryption and manage cryptographic keys throughout their lifecycle.

Key Management

Encryption is only as strong as the key management process. Keys must be generated securely, stored separately from encrypted data, rotated on a defined schedule, and revoked when compromised. Poor key management — such as storing encryption keys alongside the encrypted database — negates the protection encryption provides.